Attack on crypto: hackers change strategy

2025 became a turning point for crypto security: the industry faced a record volume of thefts, but key risks shifted from technical vulnerabilities to access management and user errors. Security is becoming a problem of discipline, not technology.

From January to December, attackers stole over $3.4 billion in crypto assets. The fundamental difference of the year is a decrease in the number of attacks with a sharp increase in average damage: hackers act less often but much more effectively.

North Korea Dominance and the New Economy of Theft

North Korea still holds a leading position in crypto crime. Its share accounted for about 76% of all crypto service compromises. North Korean groups stole at least $2 billion, 51% more than the previous year. The strategy has changed: fewer operations — higher effectiveness.

Particular attention should be paid to the evolution of money laundering schemes. Unlike other groups operating with large transfers of $1-10 million, North Korean hackers split flows into tranches up to $300,000. Then assets pass through cross-chain bridges and mixers, after which they are distributed through intermediary networks and Asian (mostly Chinese) crypto services that act as guarantors of transactions and allow bypassing strict compliance procedures. As a result, stolen funds quickly disappear in chains of transfers, migrate between networks, and are cashed out into fiat through opaque providers.

Bybit Case: Attack Without Blockchain Hacking

A notable example was the February attack on Bybit, in which about $1.5 billion was withdrawn from the exchange’s infrastructure, mostly in ETH. North Korean groups were also behind the attack.

The key point: it was not about hacking the blockchain. The vulnerability was in the asset management system — attackers gained the ability to legitimately sign withdrawal transactions, bypassing internal control mechanisms and masking the theft as authorized operations.

Shift of Focus: Who Became the Victim in 2025

By the end of the year, the structure of victims clearly changed:

• Private users are increasingly under attack, not just protocols and service infrastructure. About 158,000 incidents related to personal wallet compromises were recorded.
• Individual wallets accounted for about 20% of the total stolen funds. The main scenarios are phishing, fake websites and extensions, fake “support services” in messengers, and signing malicious transactions. The key factor is human error, not code bugs.
• Solana stands out in terms of the number of victims: tens of thousands of wallet compromises were recorded. The reason is not weak network protection, but the scale of retail usage.
• Risks are no longer limited to vulnerable protocols: both large centralized platforms and individual wallets are under threat.
• For services, access and asset management compromise remains critical — a single successful attack on keys or signatories can lead to losses of hundreds of millions of dollars.

Security as an Operational Task

Against the backdrop of attacks shifting toward mass targets, crypto asset protection increasingly depends less on blockchain complexity and more on basic digital hygiene. The preventive vector is obvious:

• Use hardware wallets for long-term storage;
• Split assets among multiple addresses;
• Avoid suspicious links and extensions;
• Carefully check transactions and granted permissions.

For the industry as a whole, this means increased monitoring, stricter access control, and the fastest possible response to incidents. The practice of 2025 clearly showed: threats are growing, but a significant part of them can be mitigated if security is treated not as an abstraction but as daily operational discipline.

So we act wisely and avoid unnecessary risks.

Profits to y’all!